PRM? As we haven’t got enough acronyms in risk management already, I thought another one was required– right? So, what is PRM? I just made it up – Personal Risk Management!
They say charity starts at home – so why don’t we look at ERM, sorry PRM, in our personal lives? We can learn a lot from what we do well in our own lives and apply the same principles to our work lives and, bingo, we have good ERM working in our business!
One of the objectives of most people in their personal lives, I hope, is: To live a long and healthy life.
Risk, according to the ISO 31000 standard, is the “effect of uncertainty on objectives”. “Objectives” is where PRM/ERM starts. You cannot do any robust risk management without starting with objectives. This is the critical link between ERM and Strategy.
The second step is to understand what critical functions need to work well to achieve our objectives. In your personal life, it will include Skeleton, Vital Organs, Skin, Blood etc. In your business life, it is the critical processes on which your business depends – in other words, the critical parts of your operating model.
Once we understand the critical functions/processes, we can then begin identifying the risks that could cause the functions/processes to fail. In your personal life this will include such things as, heart attack, melanoma, lung disease and so on. In your work life it will be a suite of corporate risks including transaction processing errors, internal/external fraud, third party failure and so on.
The next stage is to analyse our key risks in detail so we understand their root causes and how they link to the failure of the critical processes and, by default, our objectives.
For example, a heart attack may be caused, amongst other things, from clogged arteries. Clogged arteries, may be caused by cholesterol which in turn could be caused by diet or be hereditary. Heart attack then leads to failure of the heart as a vital organ which leads to the failure of our long and healthy life objective.
Lastly, we identify our controls. For health risk, we may have diet, drugs, regular checkups, surgery etc. These controls can be classified into Preventive, Detective and Reactive controls with Preventive operating at the earliest point and Detective somewhere in the middle while Reactive are at the end. Read the article, Are you a Risk Manager?
An example bow tie for staff absenteeism is shown below:
Fig 1. Bow Tie analysis example
Source: Protecht.BowTie (available for iOS tablets on the App Store)
Once we have analysed our risks and related controls we need to manage them i.e. the process of Enterprise Risk Management (ERM).
ERM is this for your business. How healthy are you?
If you want to know how you can improve your business health, come to the Protecht Enterprise Risk Management training. If you are not located in Australia or New Zealand, we also offer it as in-house option.
1. THE WHY OF ERM? WHERE IS THE INCENTIVE? • The traditional view of risk and risk management • Where’s the reward in risk management? Risk management as an enabler rather than a hindrance • The key objectives of risk management • Importance of linking risks to strategy and objectives • Creating the incentive for ERM.
2. THE WHAT OF ERM? UNDERSTANDING RISKS AND CONTROLS • What is and what is not a risk? • The three components of risk: Root Causes, Events and Impacts • Defining the impacts: Failed Critical Processes and Objectives • Bow Tie Analysis • Describing risk. The do’s and don’ts • Determining the entity level risks and the risk hierarchy • Inherent and Residual risk.
3. THE HOW OF ERM? RISK MANAGEMENT FRAMEWORK AND PROCESSES • Risk Management Framework (RMF) • Governance, Roles and Responsibilities, Three lines of defence, Risk Appetite, Risk Committees • Risk Management processes: Risk Assessment, Controls Assurance, Key Risk Indicators, Incident Management, Issues and Actions Management • Escalation, Reporting and Action • People and Culture • Continuous Improvement.
4. RISK ASSESSMENT • Risk and Control Self Assessment (RCSA) • Stress Testing • Controls Assurance
5. RISK MONITORING • Key Risk Indicators • Incident Management
6. CONTINUOUS IMPROVEMENT • Issues and Actions Management and Risk Treatment methods • Maturity Assessment
7. REPORTING AND ANALYTICS • Risk Reporting • Risk Analytics – moving to proactive risk management • The dashboard report
8. PEOPLE AND CULTURE • The key behaviours • The key drivers of culture • Assessing and reporting culture
Click on the banner to see the final dates and locations for this training, or send an email to email@example.com for in-house options.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).